1. Field of the Invention
The present invention relates in general to computer network security, and in particular, to a system and method for providing access authentication of users attempting to gain access to a network based on connection orientation parameters to prevent security breaches of the network.
2. Related Art
The development of computerized distributed information resources, such as the Internet, allows users to link with servers and networks, and thus retrieve vast amounts of electronic information heretofore unavailable in an electronic medium. Such electronic information increasingly is displacing more conventional means of information transmission, such as newspapers, magazines, and event television. The term Internet is and abbreviation for “Inter-network”, and refers commonly to a collection of computer networking. TCP/IP is an acronym for, Transport Control Protocol/Internet Protocol, a software protocol developed by the Department of Defense for communication between computers.
Internet services are typically accessed by specifying a unique address, a universal resource locator (URL). The URL has two basic components, the protocol to be used, and the object pathname. For example, the URL http://www.ibm.com (home page for International Business Machines—IBM) specifies a hypertext transfer protocol (“http”) and a path name of the server (“www.ibm.com”). The server name is associated with a unique numeric value (a TCP/IP address, or “domain”).
The Internet has rapidly become a valuable source of information to all segments of society. In addition to commercial enterprises utilizing the Internet as an integral part of their marketing efforts in promoting their products or services, many federal, state, and local government agencies are also employing Internet sites for informational purposes, particularly agencies which must interact with virtually all segments of society, such as the IRS. The information provided is often updated regularly to keep users current with changes which may occur from time to time.
The World Wide Web (WWW or Web) is a graphic, interactive interface for the Internet. There are different programs that facilitate user scanning and selecting at this interface. The interaction is called browsing, and programs (web browser clients) on a data processing system (which may be a computer) perform this function. A data processing system connected to the Web may access a server (a program on another data processing system) also connected to the Web.
The program on the server is generally termed a “web site”. Web sites are a collection of “web pages”, where web pages are graphic displays, which are usually linked together, and may be downloaded to a data processing system utilizing a browser client. Each web page has a URL within the Web that is accessible by utilizing TCP/IP transactions via telecommunication networks and a modem. The address allows Internet browser clients to connect and communicate with a Hypertext Transfer Protocol (HTTP) server over the Web.
Retrieval of information on the Web is generally accomplished with a hypertext markup language (HTML) compatible browser. This is an application program capable of submitting a request for information identified by a URL at the client machine. The information is provided to the client formatted according the HTML.
Each Web address (www) specifies or implies a reference to one particular site on the Internet. This means that without some kind of additional machinery, when ever a person requests a specific www address, no matter the location or the number of other simultaneous requests, the call will be made to that specific site.
As the Internet and its underlying technologies have become increasingly pervasive, attention has focused on Internet security and computer network security in general. There has been an increase in the unauthorized opportunity to gain access to data, change data, destroy data, use computer resources, etc. Many networks are secured with a security perimeter. Machines within the security perimeter have ready access to data stored in the secure network. The security perimeter may be defined by firewall software, routing limitations, encryption, virtual private networks and/or other means. Firewalls are intended to shield data and resources from network intruders.
In general, a firewall is a gatekeeping computer that is connected between the Internet and the private intranet. The firewall protects the private intranet by filtering traffic to and from the Internet based on network policies. Typically, the firewall provides a single check point where network traffic can be audited. Most firewalls can be classified as either a packet filtering firewall or a proxy based application gateway firewall.
Packet filtering firewalls (packet filters) are typically implemented in routers. The routers use tables to indicate communication protocols allowing into and out of a particular network. Such packet filters, drop, reject or permit passage of packets of information based on destination address, source address, and application port numbers. Packet filters do not maintain context or understand the applications with which they are dealing. They make decisions purely by looking at Internet Protocol (IP) headers and interpreting the rules they are programmed to follow. The reliance of packet filters on header information allows unauthorized users to mimic the IP address of trusted machines and thereby gain unauthorized access. Thus, packet filtering firewalls are susceptible to security breaches.
One solution is to use another type of firewall, namely, a proxy based application gateway firewall (also known as an application firewall, or proxy firewall). This firewall runs programs called proxies, or proxy software, that secure information flowing through a gateway. All Internet traffic is funneled through a gateway controlled by proxy software. The proxy software transfers incoming information to an internal network based on the access rights of individual users.
Because proxy software is typically an application program, it makes its decision based on context, authorization and authentication rules, and does not depend on the IP address alone. Typically, proxy firewalls operate at the highest level of the protocol stack. They allow a private intranet systems analyst to implement security policies based on a wide range of defensive measures.
However, many firewalls do not extend far enough into an organization's intranet of computers, which can compromise security of that organization. Therefore, what is needed is a system and method to extend network security beyond the firewall and onto all computers on an intranet.